Configure a SCIM user directory integration with Okta
Before You Begin
Complete the steps outlined in the SCIM Directory Integration support article to set up a new SCIM user directory in your Kandji instance. You will need to obtain the SCIM access token and API URL.
Ensure you’re using Okta’s Advanced Lifecycle Management plan, which supports built-in, standards-based provisioning for SCIM.
Copy and store the token provided as outlined in SCIM Directory Integration. The token will not be visible once you click Done and will be required in a later step.
- Log into your Okta Production or Developer tenant via login.okta.com.
- Once logged in, create a new Application Integration by going to Applications > Applications.
Note: The Kandji application available in the Okta Integration Network (OIN) cannot be provisioned for SCIM. A new Application Integration must be created to leverage SCIM. This new app integration will not interfere with any existing Okta SSO integration leveraging the OIN Kandji application.
- Click Create App Integration.
- Select SAML 2.0 on the App Integration Wizard screen and click Next.
- Give the App a name, such as Kandji SCIM App. Check both boxes within the App visibility section and click Next.
- In the SAML Settings section, enter a dummy URL in the Single sign-on URL and Audience URI (SP Entity ID) fields. Leave the defaults in all other fields, scroll to the bottom of the page, and click Next.
Note: Since we will not be using this application integration for SSO, the URLs do not need to be valid; however, you must enter URLs in these fields in order to proceed.
- In the section Help Okta Support understand how you configured this application, and select the first radio button. I’m an Okta customer adding an internal app. Skip the Optional fields, scroll to the bottom of the page, then click Finish.
- You should now be in a new Application Integration named Kandji SCIM App (or whatever name you chose in step 6 above) on the Sign On tab.
- Navigate to the General tab, click Edit under App Settings, and select SCIM in the Provisioning section. Leave the defaults in the other fields and click Save.
- Open the Provisioning tab. There, select Integration, then click Edit within the SCIM Connection section.
- Enter the SCIM connector base URL obtained in step 9a in the SCIM Directory Integration article mentioned above.
- Enter userName in the Unique identifier field for users field.
- Select the checkboxes for Push New Users and Push Profile Updates.
- Change Authentication Mode to HTTP Header.
- Enter the Bearer Token you obtained in the SCIM Directory Integration article mentioned above.
- Click Test Connector Configuration to test the integration. Your results should look like the sample below. Click Close to close the Test Connector Configuration window, then click Save to save the SCIM Connection settings.
- You should still be on the Provisioning tab in the To App section under Settings.
- In the Provision to App section, click Edit.
- Set the checkboxes to Enable for Create Users, Update User Attributes, Deactivate Users within the Provisioning to App section and click Save.
- Go to Directory > Groups to create a user group for Kandji Users and click Add Group.
- Give the group a Name such as Kandji Users, and enter a Group Description.
- If User Accounts already exist in your Okta instance, go to step 20. If not, to add a User Account, go to Directory > People on the left pane menu and click on the Add Person button.
- Create a test user account in Okta by filling out the Add Person wizard:
- In the Groups field, start typing the first few letters of the Group created in Step 17, then select it when the correct group name appears.
- For Password, select Set by Admin.
- Deselect User must change password on first login.
- In Directory > Groups, you should see the new group in the list of Groups; click on the Kandji Users group.
- Click on the Manage Apps button to assign the Application created in Steps 4 thru 10.
- Click on the Assign button next to Kandji SCIM App (or whatever you named it).
- Set Preferred Language and Locale for users in this group. All other fields can be left blank.
- Confirm the Kandji SCIM App has been Assigned and click Done.
- You should now see the User Account(s) that were added to the Kandji Users group in your Kandji instance.
User syncing is one-way, meaning the Okta Kandji SCIM app will send user information to Kandji when there is new information to be sent. Therefore, 'Sync Now' is not an option available in the web app.